SA-001: Unauthorized Access to Non-Volatile Memory
Vulnerability Type: Incorrect Access Control
Affected Product(s): NPCT75x TPM1.2 with Firmware version 22.214.171.124.
Fixed Product(s): Firmware version: 126.96.36.199. Firmware updates are available from system OEMs.
Attack Type: Local
Impact: Information Disclosure, Modification of Data
Affected Components: Data in the TPM non-volatile memory
Attack Vector: Unauthorized access to non-volatile memory
In Nuvoton NPCT75x TPM 1.2 firmware 188.8.131.52, a local authenticated malicious user with high privileges could potentially gain unauthorized access to TPM non-volatile memory.
NOTE: Upgrading to firmware version 184.108.40.206 will mitigate against this vulnerability; however, version 220.127.116.11 is not TCG or Common Criteria (CC) certified (though functionality wise, there are no real differences between versions 18.104.22.168 and 22.214.171.124). Nuvoton recommends that users apply the NPCT75x TPM 1.2 firmware update.
CVE Identifier: CVE-2021-32015